Documentation
¶
Overview ¶
Package killchain provides types for attack chain frameworks including MITRE ATT&CK and Lockheed Martin Cyber Kill Chain.
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var CommonTechniques = map[string]Technique{ "T1199": { ID: "T1199", Name: "Trusted Relationship", Tactic: InitialAccess, }, "T1078": { ID: "T1078", Name: "Valid Accounts", Tactic: InitialAccess, }, "T1110": { ID: "T1110", Name: "Brute Force", Tactic: CredentialAccess, }, "T1059": { ID: "T1059", Name: "Command and Scripting Interpreter", Tactic: Execution, }, "T1041": { ID: "T1041", Name: "Exfiltration Over C2 Channel", Tactic: Exfiltration, }, "T1082": { ID: "T1082", Name: "System Information Discovery", Tactic: Discovery, }, }
CommonTechniques returns commonly referenced techniques for quick access.
Functions ¶
This section is empty.
Types ¶
type KillChainStep ¶
type KillChainStep struct {
// Phase is the Kill Chain phase.
Phase LockheedPhase `json:"phase"`
// Description describes what happens in this step.
Description string `json:"description"`
// MITRETechnique optionally maps to a MITRE ATT&CK technique.
MITRETechnique *Technique `json:"mitreTechnique,omitempty"`
}
KillChainStep represents a step in an attack mapped to the Kill Chain.
func (KillChainStep) Label ¶
func (s KillChainStep) Label() string
Label returns a formatted label for use in diagrams.
type LockheedPhase ¶
type LockheedPhase int
LockheedPhase represents a phase in the Lockheed Martin Cyber Kill Chain.
const ( // Recon is the reconnaissance phase - harvesting email addresses, // conference information, etc. Recon LockheedPhase = iota + 1 // Weaponization is coupling exploit with backdoor into deliverable payload. Weaponization // Delivery is delivering weaponized bundle to the victim via email, // web, USB, etc. Delivery // Exploitation is exploiting a vulnerability to execute code on // victim's system. Exploitation // Installation is installing malware on the asset. Installation // CommandControl is establishing command channel for remote manipulation. CommandControl // ActionsOnObjectives is accomplishing the original goals of the intrusion. ActionsOnObjectives )
func AllLockheedPhases ¶
func AllLockheedPhases() []LockheedPhase
AllLockheedPhases returns all Cyber Kill Chain phases in order.
func (LockheedPhase) D2Class ¶
func (p LockheedPhase) D2Class() string
D2Class returns the D2 style class name for this phase.
func (LockheedPhase) Number ¶
func (p LockheedPhase) Number() int
Number returns the phase number (1-7).
func (LockheedPhase) ShortName ¶
func (p LockheedPhase) ShortName() string
ShortName returns a short name for the phase.
func (LockheedPhase) String ¶
func (p LockheedPhase) String() string
String returns the full name of the kill chain phase.
type MITRETactic ¶
type MITRETactic string
MITRETactic represents a MITRE ATT&CK tactic (the "why" of an attack).
const ( // Reconnaissance (TA0043) - Gathering information to plan future operations. Reconnaissance MITRETactic = "TA0043" // ResourceDevelopment (TA0042) - Establishing resources to support operations. ResourceDevelopment MITRETactic = "TA0042" // InitialAccess (TA0001) - Trying to get into your network. InitialAccess MITRETactic = "TA0001" // Execution (TA0002) - Trying to run malicious code. Execution MITRETactic = "TA0002" // Persistence (TA0003) - Trying to maintain foothold. Persistence MITRETactic = "TA0003" // PrivilegeEscalation (TA0004) - Trying to gain higher-level permissions. PrivilegeEscalation MITRETactic = "TA0004" // DefenseEvasion (TA0005) - Trying to avoid being detected. DefenseEvasion MITRETactic = "TA0005" // CredentialAccess (TA0006) - Trying to steal credentials. CredentialAccess MITRETactic = "TA0006" // Discovery (TA0007) - Trying to figure out your environment. Discovery MITRETactic = "TA0007" // LateralMovement (TA0008) - Trying to move through your environment. LateralMovement MITRETactic = "TA0008" // Collection (TA0009) - Trying to gather data of interest. Collection MITRETactic = "TA0009" // CommandAndControl (TA0011) - Trying to communicate with compromised systems. CommandAndControl MITRETactic = "TA0011" // Exfiltration (TA0010) - Trying to steal data. Exfiltration MITRETactic = "TA0010" // Impact (TA0040) - Trying to manipulate, interrupt, or destroy systems. Impact MITRETactic = "TA0040" )
func AllMITRETactics ¶
func AllMITRETactics() []MITRETactic
AllMITRETactics returns all MITRE ATT&CK tactics in attack order.
func (MITRETactic) D2Class ¶
func (t MITRETactic) D2Class() string
D2Class returns the D2 style class name for this tactic.
func (MITRETactic) String ¶
func (t MITRETactic) String() string
String returns the full name of the tactic.
func (MITRETactic) URL ¶
func (t MITRETactic) URL() string
URL returns the MITRE ATT&CK URL for this tactic.
type Technique ¶
type Technique struct {
// ID is the technique identifier (e.g., "T1199").
ID string `json:"id"`
// Name is the technique name.
Name string `json:"name"`
// Tactic is the parent tactic this technique belongs to.
Tactic MITRETactic `json:"tactic"`
// Description provides details about the technique.
Description string `json:"description,omitempty"`
// SubTechniqueID is the sub-technique ID if applicable (e.g., "T1059.001").
SubTechniqueID string `json:"subTechniqueId,omitempty"`
}
Technique represents a MITRE ATT&CK technique (the "how" of an attack).
Source Files
Click to show internal directories.
Click to hide internal directories.